Patch Analysis for July 2009

July 29, 2009 Update

In an unusual step Microsoft released 2 Out-of-Band patches to address additional Active Template Libary vulnerabilities.  Active Template Library is a coding tool frequently used by web developers to build COM based controls that run in Internet Explorer.  For defense-in-depth layers at both the developer and end-user levels, Microsoft released patches for both Visual Studio (MS09-035) and Internet Explorer (MS09-034).  While the vulnerability are not currenty public or being exploited to our knowledge, I recommend accelerated deployment since Microsoft released them out-of-band.


Some confusing patches this week; made all the more complex given current zero-day exploits.  Make sure you understand the ramifications of the patches you decide to deploy and pay special attention to whether you have utilized the "fix it" options in earlier security advisories on some of these issues.  Depending on the patch you may need to uninstall the fix-it first - or just the opposite!

If you follow the best practice of not browsing multi-media sites and playing games the vulnerability that MS09-028 patches will not be a problem for servers. This is primarily a concern for workstations. The patch installs killbits. Don't uninstall the earlier fix-it in security advisory related to this. If you do it will cause problems with the installation of this patch. Several workarounds are available instead of the patch that will disable playback of some multimedia files.

Be careful with the fix-its. In the case of MS09-029, if you installed a particular workaround fix-it the patch will not install correctly. Therefore it must be disabled first. Just the opposite of MS09-28! Be sure to read all of the advisory notes.
The workaround for MS09-031 disables the default fallback to basic authentication (sometimes called standard authentication) for ISA server.
MS09-032 affects XP and 2003 but a patch is available for other systems to provide defense-in-depth.The patch installs killbits. Don't uninstall the earlier fix-it released with the 972890 Security Advisory released July 13. If you do it will cause problems with the installation of this patch.
Virtual PCs and Virtual servers are not at risk but the host systems are through an attack on the Virtual Machine Monitor. MS09-033 address this vulnerability.
The 973472 Security Advisory released July 13 involves an ActiveX vulnerability. You might have considered setting the kill bit but this should be tested thoroughly as this will break some functionality.
Happy patching!
BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
MS severity ratingProducts AffectedNotesRandy's recommendation

Arbitrary code

/ Windows
Terminal Servers
No/NoYesCritical Win2000
Restart Req'dPatch after minimal testing

Arbitrary code

/ Office Publisher
Terminal Servers
No/NoYesImportant Office 2007
Restart may be req'dPatch after testing

Arbitrary code

/ ActiveX and Active Scripting
Developer Workstations
No/NoNoModerate Visual Studio .NET 2003
Visual Studio 2005
Visual Studio 2008
 Patch after testing

Privilege elevation

/ Virtual PC; Virtual Server
Virtual Servers
No/NoNoImportant Virtual PC 2004
Virtual Server 2005
Virtual PC 2007
Restart Req'd; Only guest OS vulnerablePatch after testing

Privilege elevation

/ ISA Server
No/NoYesImportant ISA Server 2006
Restart Req'dPatch after testing

Arbitrary code

/ DirectShow (Quick Time files)
Terminal Servers
Yes/YesYesCritical Win2000
Server 2003
DirectX; Restart may be req'dPatch after minimal testing

Arbitrary code

/ Internet Explorer
Terminal Servers
No/NoNoCritical Win2000
 Patch after testing

Arbitrary code

/ Internet Explorer
Terminal Servers
No/YesYesCritical XP
Server 2003
Patch available for other OSsPatch after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.


Additional Resources